1
Building Business Narratives to Sell Security to the Board
Session #120, February 13, 2019
Theresa Z. Meadows, SVP & CIO, Cook Children’s Healthcare System
David S. Finn, EVP, Strategic Information, CynergisTek
2
Theresa Meadows, RN, MS, FHIMSS, CHCIO, FACHE
Has no real or apparent conflicts of interest to report.
Conflict of Interest
3
David Finn, CISA, CISM, CRISC
Has no real or apparent conflicts of interest to report.
Conflict of Interest
4
Translating Cyber Risk to Business Risk
Illustrating the Business Risk Story
Peer Comparison and Outside Verification
What Not to Do - - Waste the Board’s Time
Building Relationships
And Now from the CIO’s Perspective . . .
Keys to Success
Relationship
Explaining the Why
People
Describing the Risks and Painting the Picture
This is a Patient Safety Issue
Agenda
5
Assess the current cybersecurity threat landscape and business impact of recent
data breaches to educate the board and senior leadership of the business risks
associated with security programs
Compare how ‘selling’ cybersecurity to the board is not as effective as using
storytelling to educate board members on the threats and get them involved in
establishing good information security governance
Evaluate real-world examples of how a CIO effectively leveraged key strategies to
build awareness and support for security projects, initiatives and culture with her
organization
Outline key strategies security leaders can utilize to gain resources to develop a
strong security program and establish a relationship with the board
Illustrate how security leaders can leverage metrics/data, peer comparison and third
party validation to showcase the business risk associated with security programs to
senior business leaders
Learning Objectives
6
Primary Care
Home & Tele-Health
Population Health
ACO / Health Information
Exchange
Enterprise Risk
Management
Primary Care
Home & Tele-Health
Population Health
ACO / Health Information
Exchange
Enterprise Risk
Management
Opportunities
Primary Care
Home & Tele-Health
Population Health
ACO / Health Information
Exchange
Enterprise Risk
Management
Opportunities
Physicians and Payers
Business Associate /
3rd Party Risk
Patient Engagement
Regulatory / Legal
Medical Device Concerns
Physicians and Payers
Business Associate /
3rd Party Risk
Patient Engagement
Regulatory / Legal
Medical Device Concerns
Operations
Physicians and Payers
Business Associate /
3rd Party Risk
Patient Engagement
Regulatory / Legal
Medical Device Concerns
Operations
Socio-
Economic
Drivers
Privacy &
Security
Drivers
Patien
t
Safety
&
Trust
Analytics / Informatics
Value-based Services
o Patient
o Provider
o Payer
Vulnerability and Threat
Sharing
Analytics / Informatics
Value-based Services
o Patient
o Provider
o Payer
Vulnerability and Threat
Sharing
Outcomes
Analytics / Informatics
Value-based Services
o Patient
o Provider
o Payer
Vulnerability and Threat
Sharing
Outcomes
It’s About Healthcare . . .
7
Selling Cybersecurity to the C-Level
and the Board
Is it a lack of commitment or a
lack of knowledge?
Selling is easier than it used to
be - - no one wants a cyber
event
It is more about storytelling . . .
Savvy CEOs, COOs, CFOs,
CMOs and CNOs but they’re
not security experts
That’s our job!
Corporate Leadership (including the
Board) does not have a deep
understanding of cybersecurity.
8
Audience may not understand
cyber risk but they will
understand their business and
Business Risk
Translate your cyber risk into
their business risk
Understand how your
organization makes money,
operates
Translating Cyber Risk to Business Risk
9
Illustrate Your Business Risk Story
No one wants to fund
fiction
”Illustrate” your story
Measures
Metrics
Executive and Board
education
Industry trends
New regulations
May not always be good
10
Peer Comparisons
11
Some Security Metrics
12
Outside Verification
Sr. leaders and Board like this
It is not about grades
Managing the deliverable
You can’t change the grade
You can adjust the message
Verifying work
ID’ing new issues
13
Third Party Risk Management
It just isn’t happening much
#1 rated risk by CISOs
NIST CSF 1.1
Not really an IT or Security
risk
14
Wasting the Board’s Time
Boards understand
Costs
Impacts
Risks
Use real-world examples
One size doesn’t fit all
15
Say what you are going to do.
Do what you said.
Demonstrate it.
Building a Relationship with the Board
16
Founded in 1918 Fort Worth
Free Baby Hospital
Cook Children’s Hospital
Fort Worth Children’s
Hospital
1984 Merger: Cook-Fort
Worth Children’s Medical
Center
2013 Nationally recognized
Integrated Delivery System
About Cook Children’s
17
Nine Companies
CC Medical Center
CC Physician Network
CC Home Health
CC Health Plan
CC Health Foundation
CC Hurst Surgery Center(JV)
CC Pediatric Surgery Center (JV)
CC Health Services (for profit)
CC Health Care System
Cook Children’s Health Care System
Today
18
Executive Governance (aka buy-in)
Board of Directors
Organizational Leadership
Explain the why
Education and awareness
Continuous monitoring and improvement
Keys to Success
19
CEO
CFO
CMO
CNO
… and their main business units.
Facility
CEOs
CMIO
CNIO
LEGAL
COMPLIANCE
PRIVACY
Key Relationships to Nurture …
20
Explain the Why?
Healthcare is Complex
21
Rapid Digital Transformation
Regulatory Environment
Connected Medical Devices
Need for Interoperability
Lack of Security Talent
Other Factors*
*HHS Health Care Industry CyberSecurity Task Force Report
22
And Then There are People……
23
Types of Risks
Privacy
Patient Safety
IntegrityAvailability
24
Competition patient privacy violations can influence where
individuals choose to get their care
Reputation security incidents that lead to media coverage can
significantly damage public perception of the organization
Culture outstanding care is also about how well the integrity and
privacy of patient records and electronic transactions are maintained
Financial significant penalties, litigation for security incidents where
protected patient health information, credit card or other information
protected by federal laws is disclosed
Impact of Cybersecurity Risks in Healthcare
24Privileged and Confidential
25
Paint a Picture
External and Internal Forces
26
Never Waste a Good Crisis Gaining
Buy-In
27
Largest Healthcare Breaches 2017
Entity Number of Affected
Individuals
Type of Breach
Airway Oxygen of Michigan 500K Hacking of server
Women’s Healthcare Group of PA 300K Hacking of desktop and server
Urology Austin 279K Ransomware
Pacific Alliance Medical Ctr. 266K Hacking of server
Peachtree Neurological Ctr. Of Georgia 176K Hacking of server
Tampa Bay Surgery Center 142K Hacking of server public posting
McLaren Medical Group 106K Hacking of server
Emory Healthcare 79K Hacking of server - extortion
Salina Family Healthcare Ctr. 77K Ransomware
Stephenville Medical & Surgical 75K Unauthorized disclosure/email
ABCD Pediatrics 55K Ransomware
Torrance California Medical Ctr. 46K Hacking of email
St. Marks Surgical Ctr. in Florida 33K Hacking of server
28
280,000+ identified as attacks and stopped per month on average
29
Understand that cyber security is an enterprise wide management
issue, not an IT issue
Understand the legal and financial implications of a security
breach
Understand the impact to reputation if security is compromised
Boards should be included in cyber risk discussions
Boards should ensure adequate resources are spent on security
What Boards and Executives Should
Know?
30
Cybersecurity is a Patient Safety
Issue
31
What if I say
Cybersecurity is the people, processes
and technologies that….
Keep our children safe from online
predators and cyber bullying
Ensures someone doesn’t steal your
identity and empty your bank
account
Prevents someone from publicly
posting your personal emails
Stops someone from gaining
unauthorized access to medical
records, social security numbers,
and other sensitive data
Making it Real.....
32
New employee orientation
Monthly security education
Quarterly Ask the CISO blog posts
Repeat Offenders Education
Culture of Security at Cook Children’s
33
All the technology in the world
will not prevent security
issues
Awareness is key to success
focus on changing behavior
vs strictly on compliance
Employees are our most
valuable asset
What Can We Do?
34
35
Awareness Trend YTD
36
Creating a culture of security begins with the Board and the
Executive Team.
This is the key to protecting our patient’s safety.
In Conclusion……
37
Questions?
Theresa Z. Meadows, RN, MS, CHCIO, FHIMSS
Email: Theresa.Meadows@cookchildrens.org
David S. Finn
Email: david.finn@cynergistek.com